Web services are primed to be the next big development for Internet-based applications and transactions. As with any new technology, security eventually surfaces in the discussion – and Web services is no different. After all, the aim of Web services, which is to seamlessly integrate systems and applications that communicate over a network, will often allow access to sensitive information by unknown parties.
Security solutions exist for Web services, but many are not new. In fact, many security solutions for Web services today use technology that has been used for several years to secure e-commerce sites. A few new developments are underway, however, and many more will surface as the Web services market grows.
At the most basic level, Web services security can use a user ID and password for authentication, access control lists or file permissions for authorization, message digests for integrity, and SSL (Secure Sockets Layer) encryption for confidentiality. Digital signatures and time stamps can be used for nonrepudiation, but implementing these is a very complex task.
The solutions that can be implemented easily today do not provide a strong enough security infrastructure for such a critical architecture as Web services. Authentication with a user ID and password – or e-mail address in the case of Microsoft’s Passport – is trivial to crack if the communication is not encrypted. As a result, many solutions use SSL to encrypt network traffic, but SSL has its own problems. Most importantly, SSL greatly slows down the transaction process by utilizing massive amounts of CPU time for its encryption calculations. SSL accelerators can speed up this process, but they are often costly.
Another issue with SSL is that it does not provide end-to-end security. If a transaction passes through intermediary systems, such as a credit verification system or a smart gateway, there is really no way to tell whether the data was maliciously altered. Additionally, user credentials cannot be easily passed through each stop in the transaction chain, potentially hindering the success of the transaction and precluding the ability to log who initiated the transaction at each step in the process.
The Next Generation
New solutions are being developed, however, to provide better security that caters to Web services. Microsoft is implementing Kerberos in Passport to provide stronger authentication. In competition with Microsoft, the Liberty Alliance is developing a less centralized authentication model, but specifics have not yet been defined. Vendors such as Oblix and Netegrity are developing solutions to manage user credentials, which will help interoperability among the various Web services platforms.
Support for additional authentication and authorization solutions is also being developed. Smart cards and biometrics can be used to provide strong authentication. Plus, authentication frameworks are being developed to provide granular control over the authentication process.
Several developments on the XML front will provide more control than simply using SSL. The XML Signature specification defines how to represent digital signatures in XML, providing the capability to digitally sign entire documents or sections of documents. XML Encryption defines how to encrypt and decrypt documents, whether in their entirety or by section. And XKMS (XML Key Management Specification) defines how to register and distribute public keys, addressing the key distribution problems in transactions where the parties have not previously communicated.
SAML (Security Assertion Markup Language) is an XML-based mechanism to exchange authentication and authorization information. SAML will provide single sign-on capabilities to Web services, allowing a user to authenticate once and be able to access multiple applications.
Finally, no security architecture is complete without policies. XACML (Extensible Access Control Markup Language) specifies how to express policies for information access via a network.
Web services are complex, and this article has merely scratched the surface of related security issues. For example, we did not even touch on many of the server-side issues, such as how to prevent malicious code from being executed. Although new developments will make Web services more secure, the real answer to good security is always the same: Defined security policies and proper implementation, administration, and maintenance are key to the success of any security infrastructure.
Secure Web Services Start With XML
A host of new standards will bolster authentication, authorization, encryption, and key management.
Kerberos
Kerberos is an authentication technology that uses cryptographic tokens to identify users and can be used to authenticate Web service users.
SAML (Security Assertion Markup Language)
SAML is an XML-based mechanism to exchange authentication and authorization information that provides single sign-on capabilities for Web services.
XML Signature
The XML Signature specification defines how to represent digital signatures in XML, providing the capability to digitally sign entire documents or specific sections.
XML Encryption
Similar to XML Signature, this specification defines how to encrypt and decrypt documents, whether in their entirety or by section.
XKMS (XML Key Management Specification)
This specification defines how to register and distribute public keys, addressing the key distribution problems in transactions where the parties have not previously communicated.
XACML (Extensible Access Control Markup Language)
XACML specifies how to express policies for information access over a network. Digital rights management is included here.
THE BOTTOM LINE
Web Services Security
Executive Summary: Web services are a key component of many organization’s future business-integration initiatives, and security should not be left on the back burner. Developing strong policies and a proper infrastructure today will save a lot of headaches down the road.
Test Center Perspective: Current technologies, including SSL and HTTP basic authentication, provide some security for Web services, but new developments will provide much stronger protection. Ensuring security measures are properly implemented and deployed now will save time and money in the long run.
Technology Analyst Mandy Andress ( [email protected]) covers security and networking for the InfoWorld Test Center.
